IP Services

Disclaimer! These are my notes that I wrote down while studying. It’s not a description of how something works, it’s more like small bits and pieces that I felt I didn’t know very well and needed to remember. It’s probably entirely useless for anyone except for me, but if it helps someone that’s great!

NAT on the inside:
packets are first routed, then the source address is translated (destination IP is global so it can be lookup up in routing table)
NAT on the outside:
packets have destination un-translated first, routing occurs after translation

NVI does not use inside/outside interfaces, uses NVI interfaces
docs: IP addressing configuration -> NAT'ip nat enable' on all interfaces
unlike in/out NAT you also need to enable NAT on loopback if you use them as source
reversible keyword not supported with NVI
NVI can do all types of NAT: static, dynamic, overload
With NVI there are two routing lookups, once to send traffic to NVI if, then again to route out of box
the original scope of NVI was to do inter-VRF NAT, the two routing lookups can be in different VRFs
the NVI interface is basically a bridge between the VRFs in that case
Commands are the same, but without ‘inside’ and ‘outside’ keywords. Ex:(c)# ip nat source static <local> <global>
# show ip nat nvi [statistics|translations]

Extended NAT = not only src/dst IP, but also protocol type and port number (TCP port 80 etc)
To allow static NAT mappings of one IL address to multiple IG addresses, the keyword extendable is added to the end of the mapping statements.
extendable = “Extend this translation when used” / “The extendable keyword allows every new translation to be fully extended, without binding a local IP address to a fixed global IP.”
if trying to configure multiple static translations without extendable:"% 150.1.10.10 already mapped (150.1.10.10 -> 155.1.45.201)"

The NAT Default Interface feature allows all traffic received on the outside interface that does not already match an existing dynamic translation to be statically forwarded to an inside host:ip access-list standard ALL
permit any
!
ip nat inside source list ALL interface GigabitEthernet1.45 overload
ip nat inside source static 150.1.8.8 interface GigabitEthernet1.45

Reversible NAT

“Route Maps Outside-to-Inside”
An initial session from the inside to the outside host is required to trigger a NAT. New translation sessions can then be initiated from outside to the inside host that triggered the initial translation.

By default, when you use route-maps with NAT rules, extendable entries are created. This disallows an external user to open a reverse connection back to an inside host because no one-to-one mapping exists in the translation table. Reversible NAT allows creation of extendable entries along with reversible one-to-one mappings.

Policy NAT

ip nat inside source static <local> <global> route-map <rm> [reversible]
only match NAT entry if route-map matches. by default route-map is only checked for traffic
going from inside to outside. add ‘reversible’ keyword to check the routemap when going out -> in

Multiple policy NAT route-maps with overlapping matches will be processed in alphanumeric order
More specefic matches does not count, only the name of the route-map

CBAC: dynamic modification of ACLs. similar to reflexive ACLs, but can do up to L7 filtering
“CBAC is configured and operates per interface, dynamically modifying ACL entries facing one direction based on the traffic it sees flowing in the opposite direction.”

For outside nat you need to have a route for the virtual “outside local” address, even though it doesn’t really exist
Create a host-route towards the real destination IP, or use the ‘add-route’ keyword in the NAT statement.
Routing is done before the translation, which means you don’t really need a route for the real destination in the routing table
For inside NAT, routing is done after translation?

DHCPv6 Prefix Delegation

DHCPv6 prefix delegation is separate from address assignment with DHCP
IA_PD = Identity Association for Prefix Delegation. identify a set of prefixes, can be one IA_PD per router or per a set of interfaces. Chosen by the requesting router